Mobile Phone Encryption Crack Downplayed by GSMA

The Global System for Mobile Communications Association claims the latest attack on the A5/1 encryption algorithm is not practical.

Security researchers have cracked the encryption code used
to protect most of the world's digital mobile phone calls, but some say the
impact is being exaggerated.
According to reports, cryptographer Karsten Nohl led an
effort to break the 21-year-old GSM algorithm used to protect the privacy of 80
percent of mobile phone calls worldwide. Known as the A5/1 algorithm, the cipher has
been used to secure digital phone conversations since 1988.

In his Dec. 27
presentation at the Chaos Communication Conference in Berlin,
Nohl stated he had 2TB of cracking tables that could be used to find the
encryption key being used to protect a telephone conversation. According
to the New York Times, Nohl told conference attendees his research shows "existing
GSM security is inadequate."

"We are trying to push operators to adopt better
security measures for mobile phone calls," Nohl said.
However, the GSMA
(Global System for Mobile Communications Association), which represents wireless
companies, said the impact of the discovery is being overstated.
"Over the past few years, a number of academic papers
setting out, in theory, how the A5/1 algorithm could be compromised have been
published," GSMA spokesperson Claire Canton told eWEEK. "However,
none to date have led to a practical attack capability being developed against
A5/1 that can be used on live, commercial GSM networks."
In 2007 and 2008, a hacking group claimed to be building an
attack on A5/1 by constructing a large look-up table of approximately 2TB, Canton
said, adding someone with access to such a table could
theoretically analyze an encrypted call and recover the encryption key.
However, before a practical attack could be attempted, the GSM call has to be identified
and recorded from the radio interface, she explained.
"So far, this aspect of the methodology has not been
explained in any detail and we strongly suspect that the teams attempting to
develop an intercept capability have underestimated its practical complexity,"
Canton said. "A hacker would
need a radio receiver system and the signal processing software necessary to
process the raw radio data. The
complex knowledge required to develop such software is subject to intellectual
property rights, making it difficult to turn into a commercial product."
The
codebook Nohl and his cohorts developed is available on the Internet via
BitTorrent, though he reportedly did not discuss where it could be downloaded
due to legal concerns.
Prior to
this latest discovery, the GSMA had already been working on enhancing
encryption, and has developed A5/3 to take the place of A5/1, Canton said.
"Over
the past decade, export control agencies have removed many of the traditional
barriers to the sale of cryptographic technologies enabling the development and
use of A5/3," she noted. "This new privacy algorithm is being phased
in to replace A5/1."